Security researchers around the world have their work cut out for them keeping track of malicious scams and campaigns surrounding the coronavirus.
Cybercriminals are unabashedly pulling out all the stops to take advantage of a weary (and largely remote-working) public to spread malware, siphon sensitive information, hold critical systems hostage and line their coffers with ill-gotten gains.
From bogus mobile apps claiming to monitor the virus’ spread to Zoom “bombs,” expect the cons to be creative and only escalate in the coming weeks. We canvassed the web and compiled dispatches from a few leading security firms and volunteer efforts that are keeping a close eye on unfolding attacks.
1) Trustwave has detected two examples of miscreants attempting to lure victims with booby-trapped documents claiming to be important information from the World Health Organization but actually containing a banking Trojan. In one example, targeting Italian speakers:
The attachment is a DOCX Word document “f21203392637.doc” which contains a macro, which when executed leads to malware being dropped onto the system, firstly C:\MyImages\presskey.cmd, which is a simple loader for C:\MyImages\presskey.jse. This malware is known as OSTAP and functions to download the notorious Trickbot, a modular information stealer.
2) Meanwhile, FireEye is reporting that digital marauders are preying on the financial side of the pandemic, customizing their hustles to focus on the U.S. financial stimulus package and small business loans.
Individuals at financial services organizations in the United States were sent emails with the subject line ‘Internal Guidance for Businesses Grant and loans in response to respond to COVID-19’… These emails had OpenDocument Presentation (.ODP) format attachments that, when opened in Microsoft PowerPoint or OpenOffice Impress, display a U.S. Small Business Administration (SBA) themed message and an in-line link that redirects to an Office 365 phishing kit.
3) Handlers at the SANS Internet Storm Center are asking the security community for help chronicling all fraudulent domains being registered with keywords related to coronavirus and COVID-19
The vast majority of these domains are not actively used or currently display benign “Parked Domain” content. Some are used for legitimate purposes. But there are a few that are used for scams and other illegal activity. We are trying to enlist as many volunteers as possible to help us classify the domains collected by Domaintools.
4) As you can expect, activity in the cybercriminal underground is typically a harbinger of what businesses should expect to see and experience in the wild, and there is considerable chatter around coronavirus within the dark web, according to Trend Micro.
We’re seeing multiple listings for phishing, exploits, and malware linked to the virus in underground forums. One user…is asking for US $200 for a private build of a coronavirus-themed phishing exploit and an additional US $700 for a Code Sign certificate.
5) Advancements in ransomware attacks, which involve purveyors spreading file-locking malware via more sophisticated methods by taking advantage of vulnerabilities in common tools, are converging with the coronavirus outbreak, and Microsoft is warning that health care targets may be especially at risk.
Microsoft has been tracking REvil as part of a broader monitoring of human-operated ransomware attacks. Our intel on ransomware campaigns shows an overlap between the malware infrastructure that REvil was observed using last year and the infrastructure used on more recent VPN attacks. This indicates an ongoing trend among attackers to repurpose old tactics, techniques, and procedures (TTPs) for new attacks that take advantage of the current crisis.
How to Handle These Threats in the SOC
The good news is that with the introduction of security orchestration, automation and response (SOAR) solutions and their automated playbook capabilities, SOC managers can take steps toward more consistent, repeatable processes for a given investigation type, no matter the analyst working the case.
With automated playbooks, also known as runbooks, managers, architects and analysts can work together to define the flow of activities associated with a specific security issue and subsequent investigation and response. The goal is to build a consistent set of activities followed in every case, no matter the analyst assigned the case.
Dan Kaplan is director of content at Siemplify.